Private networks are at risk to directed attacks that attempt to overwhelm services, discover passwords and other valuable information, and otherwise misuse private network resources. Many private networks possess a network security function intended to thwart these attacks; for example, networks may rely on employed or contracted network security professionals, armed with a vast array of security software tools, to monitor various types of network activities, to discriminate legitimate network activity from attacks, and to hopefully identify and stop attacks and avert any damage in the process.
Despite these efforts and the sophistication of available tools, a network security administrator and/or system typically faces a daunting task of sifting through vast quantities of information representing legitimate or low-risk network activity in order to identify relevant threats; all too often, the relevance of specific information is only detected once damage has already occurred. That is, in most cases (including notable high-profile “credit card number theft” cases from major retailers), network administrators typically possessed specific information identifying each attack months ahead of time, when the attack was first begun, but failed to take adequate corrective action at the time because those administrators remained unaware of the presence and relevance of the information reflecting the attacks. It is also noted that attackers are often organized, collaborating in a manner where a pattern of attack is replicated and/or coordinated from multiple sources and locations; that is, directed attacks are often organized in the sense that the same attack pattern is often used in succession or parallel against many different targeted networks.
Attempts have been made to share information about attacks across targeted networks, for example, so that one network administrator can learn about attacks against other, similarly situated networks, and thus either take preemptive action or be put in a position to be alerted to the relevance of specific, actionable information before or as activity occurs. Such attempts have generally met with mixed results. The most common mechanism for the sharing of potential threat information is in the form of posted, open-community forums or information feeds, where any shared information is usually manually selected by an unknown group of personnel. From the vantage point of a subscriber to such a community or such feeds, this type of information might be from unknown or untrusted sources, it might represent legitimate attacks against non-similarly situated networks (which might consequently be of low relevance), it might represent varying thresholds of perceived threat (e.g., the risk might be negligible) or it might otherwise represent a source of “false positives” (i.e., information reported as threats when no threat is truly present). Such sharing mechanisms are therefore also, once again, typically awash in irrelevant information, rendering it difficult for a feed or community subscriber to identify relevant, actionable information. Note in this regard that it is generally very difficult to share information of high-probative value between parties, i.e., the sharing of specific threat information can convey network security strengths and weaknesses, network security response strategies, corn petitively-sensitive information, information restricted by law, or information otherwise detrimental to the network sharing the information; for example, in a common example where a major retailer's consumer database is hacked, the last thing that such a major retailer typically wants is to “informally” publicize information concerning an attack (which if done outside of highly controlled circumstances might increase attack damage, enhance retailer liability or damage retailer reputation). The sharing of high-relevancy information between similarly-situated networks therefore tends to be ad hoc, for example, direct email, messaging or phone exchange between specific individuals with a trusted personal relationship; pursuant to such a relationship, the discretion of the recipient is generally relied upon to sanitize information, which effectively restricts how widely such a practice is used; as a consequence, there is no easy way to quickly, reliably and/or automatically share relevant information across institutions or in manner that can be forwarded.
Techniques are therefore needed for the exchange of network security information between similarly situated networks. Ideally, such techniques would also feature some type of relevancy function, i.e., such that threats can be prioritized based on severity, without requiring network security administrators to manually sift through “false positives.” The present invention addresses these needs and provides further, related advantages.
The invention defined by the enumerated claims may be better understood by referring to the following detailed description, which should be read in conjunction with the accompanying drawings. This description of one or more particular embodiments, set out below to enable one to build and use various implementations of the invention or inventions set forth by the claims, is not intended to limit the enumerated claims, but to exemplify their application.